From 1d1ebb9fc2ecece1c82f364181dd6cb03408f6b2 Mon Sep 17 00:00:00 2001
From: Khue Doan <mail@khuedoan.com>
Date: Sun, 31 Dec 2023 12:35:23 +0700
Subject: [PATCH] feat: install Kanidm for identity management

---
 platform/kanidm/Chart.yaml                 |  6 ++
 platform/kanidm/templates/certificate.yaml | 13 ++++
 platform/kanidm/templates/issuer.yaml      |  7 ++
 platform/kanidm/values.yaml                | 76 ++++++++++++++++++++++
 scripts/kanidm-reset-admin-password        |  5 ++
 scripts/setupkanidm                        | 22 +++++++
 6 files changed, 129 insertions(+)
 create mode 100644 platform/kanidm/Chart.yaml
 create mode 100644 platform/kanidm/templates/certificate.yaml
 create mode 100644 platform/kanidm/templates/issuer.yaml
 create mode 100644 platform/kanidm/values.yaml
 create mode 100755 scripts/kanidm-reset-admin-password
 create mode 100644 scripts/setupkanidm

diff --git a/platform/kanidm/Chart.yaml b/platform/kanidm/Chart.yaml
new file mode 100644
index 00000000..78d023cd
--- /dev/null
+++ b/platform/kanidm/Chart.yaml
@@ -0,0 +1,6 @@
+name: kanidm
+version: 0.0.0
+dependencies:
+  - name: app-template
+    version: 2.2.0
+    repository: https://bjw-s.github.io/helm-charts
diff --git a/platform/kanidm/templates/certificate.yaml b/platform/kanidm/templates/certificate.yaml
new file mode 100644
index 00000000..21135273
--- /dev/null
+++ b/platform/kanidm/templates/certificate.yaml
@@ -0,0 +1,13 @@
+# TODO https://github.com/kanidm/kanidm/issues/1227
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kanidm-selfsigned
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: kanidm-selfsigned-certificate
+  issuerRef:
+    kind: Issuer
+    name: kanidm-selfsigned
+  dnsNames:
+    - home.arpa
diff --git a/platform/kanidm/templates/issuer.yaml b/platform/kanidm/templates/issuer.yaml
new file mode 100644
index 00000000..3362e7e4
--- /dev/null
+++ b/platform/kanidm/templates/issuer.yaml
@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: kanidm-selfsigned
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
diff --git a/platform/kanidm/values.yaml b/platform/kanidm/values.yaml
new file mode 100644
index 00000000..7b44fe1f
--- /dev/null
+++ b/platform/kanidm/values.yaml
@@ -0,0 +1,76 @@
+app-template:
+  controllers:
+    main:
+      type: statefulset
+      containers:
+        main:
+          image:
+            repository: docker.io/kanidm/server
+            tag: 1.1.0-rc.15
+      statefulset:
+        volumeClaimTemplates:
+          - name: data
+            size: 1Gi
+            globalMounts:
+              - path: /data
+            accessMode: "ReadWriteOnce"
+  configMaps:
+    config:
+      enabled: true
+      data:
+        server.toml: |
+          bindaddress = "[::]:443"
+          ldapbindaddress = "[::]:636"
+          # trust_x_forward_for = false
+          db_path = "/data/kanidm.db"
+          tls_chain = "/data/ca.crt"
+          tls_key = "/data/tls.key"
+          domain = "auth.khuedoan.com"
+          origin = "https://auth.khuedoan.com"
+  service:
+    main:
+      ports:
+        http:
+          enabled: false
+        https:
+          port: 443
+          protocol: HTTPS
+        ldap:
+          port: 636
+          protocol: TCP
+  ingress:
+    main:
+      enabled: true
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+      hosts:
+        - host: &host auth.khuedoan.com
+          paths:
+            - path: /
+              pathType: Prefix
+              service:
+                name: main
+                port: https
+      tls:
+        - hosts:
+            - *host
+          secretName: kanidm-tls-certificate
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: kanidm-config
+      globalMounts:
+        - path: /data/server.toml
+          subPath: server.toml
+    tls:
+      enabled: true
+      type: secret
+      name: kanidm-selfsigned-certificate
+      globalMounts:
+        - path: /data/ca.crt
+          subPath: ca.crt
+        - path: /data/tls.key
+          subPath: tls.key
diff --git a/scripts/kanidm-reset-admin-password b/scripts/kanidm-reset-admin-password
new file mode 100755
index 00000000..7c4df1f1
--- /dev/null
+++ b/scripts/kanidm-reset-admin-password
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "WARNING: Kanidm admin can do anything in the cluster, only use it for just enough initial setup or in emergencies." >&2
+export KUBECONFIG=./metal/kubeconfig.yaml
+kubectl exec -it -n kanidm statefulset/kanidm -- kanidmd recover-account admin
diff --git a/scripts/setupkanidm b/scripts/setupkanidm
new file mode 100644
index 00000000..7e72803f
--- /dev/null
+++ b/scripts/setupkanidm
@@ -0,0 +1,22 @@
+# TODO Do not run this script directly, it only serves as documentation,
+# Proper automation will be added later, waiting for client library update:
+# https://github.com/kanidm/kanidm/pull/2301
+
+./scripts/kanidm-reset-admin-password
+# copy password manually
+kanidm login -D admin
+kanidm service-account credential generate -D admin idm_admin
+# copy password manually
+kanidm login -D idm_admin
+
+kanidm person create khuedoan "Khue Doan" --name idm_admin
+kanidm person update khuedoan --mail "mail@khuedoan.com"
+kanidm group create demo_group --name idm_admin
+kanidm group add-members demo_group khuedoan --name idm_admin
+kanidm person credential create-reset-token khuedoan --name idm_admin
+
+kanidm system oauth2 create dex Dex https://dex.khuedoan.com/callback
+kanidm system oauth2 show-basic-secret dex
+# add secret to k8s manually
+kanidm system oauth2 create-scope-map dex demo_group openid profile email groups
+kanidm system oauth2 warning-insecure-client-disable-pkce dex